Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.
Table of content
Last Updated: 2026-07-16 ~ DPDP Consultants
Every time a user visits a website in India,
dozens of cookies are placed on their browser. Some keep the session alive.
Some remember language preferences. Others track every page the user visits,
build a behavioral profile, and share that profile with advertising networks
across the internet. Until now, most Indian websites have treated cookies as an
invisible backend function, deploying them silently without informing users or
seeking their consent.
The Digital Personal Data Protection Act, 2023
(DPDPA), changes this entirely. Under the Act, any data that identifies or is
capable of identifying an individual is personal data. Cookies that store user
IDs, track browsing behavior, record IP addresses, or create unique identifiers
for advertising purposes fall squarely within this definition. When a website
places such cookies on a user's browser without informed consent, it is
processing personal data in violation of the law.
The compliance deadline is May 2027. By that
date, every website that serves Indian users must have a DPDPA-compliant cookie
consent mechanism in place. This is not a minor technical update. It requires
auditing every cookie on the website, classifying them by purpose, redesigning
consent banners, updating privacy policies, building consent withdrawal
mechanisms, and maintaining records that prove compliance.
This guide provides a plain-language, practical
breakdown of what the DPDPA means for website cookies, what changes every
website must make, and how to implement compliant cookie consent management
before the deadline.
Chapter 2: Are Cookies Personal Data Under the DPDPA?
The DPDPA defines personal data as any data
about an individual who is identifiable by or in relation to such data.
Cookies That Are Personal Data
•
Unique
Identifiers: Cookies that
assign a unique ID to a user (such as Google Analytics _ga cookies, Facebook
_fbp cookies, or any session ID tied to a logged-in account) create an
identifier that can be linked back to a specific individual. This is personal
data.
•
Behavioral
Tracking: Cookies that track which
pages a user visits, how long they spend on each page, what they click, what
they add to a cart, or what they search for, create a behavioral profile. When
this profile is linked to a device, an IP address, or a user account, it becomes
personal data.
•
Cross-Site
Tracking: Third-party advertising
cookies (such as those placed by Google Ads, Meta Pixel, or programmatic
advertising platforms) track users across multiple websites, building detailed
profiles that can include interests, purchasing intent, location history, and demographic
inferences. This data is personal data under the DPDPA.
•
Authentication
and Session Cookies: Cookies that
maintain a logged-in session are directly tied to a user account and are
therefore personal data. However, these fall under legitimate use provisions
when they are strictly necessary for providing the service.
Cookies That May Not Be Personal
Data
Strictly necessary cookies that perform a purely
technical function without identifying the user, such as load balancing
cookies, CSRF tokens, or cookies that remember whether a cookie consent banner
has been dismissed, may not constitute personal data if they do not create or
use any identifier linked to an individual. However, the burden of proving that
a cookie does not process personal data falls on the Data Fiduciary, not the
user.
Chapter 3: Types of Cookies and Their DPDPA Classification
Not all cookies are created equal. Understanding
the four main categories of cookies and their compliance requirements under the
DPDPA is essential for building a compliant consent mechanism.
1. Strictly Necessary Cookies
These cookies are essential for the website to
function. They enable core features like page navigation, secure areas access,
shopping cart functionality, and session management. Without them, the website
cannot operate as intended. Under the DPDPA, strictly necessary cookies may be
processed under the legitimate use provision without requiring explicit
consent, because the user has voluntarily accessed the website and these
cookies are necessary to provide the requested service. However, websites should
still disclose these cookies in their privacy policy and cookie notice for
transparency.
2. Functional Cookies
Functional cookies enhance the user experience
by remembering preferences such as language selection, region, text size, or
display settings. While they improve usability, they are not essential for the
website to function. Under the DPDPA, functional cookies require explicit
consent because they process personal data (user preferences linked to a
browser or session) for a purpose beyond the core service delivery. Users must
be given the choice to accept or reject these cookies without being denied access
to the website.
3. Analytics Cookies
Analytics cookies collect data about how users
interact with the website: which pages are visited, how long users spend on
each page, bounce rates, traffic sources, and user flow. Tools like Google
Analytics, Adobe Analytics, and Hotjar use these cookies extensively. Under the
DPDPA, analytics cookies require explicit consent. They create unique
identifiers, track behavior over time, and build profiles that constitute
personal data. The fact that the data may be "anonymized" or
"aggregated" at some point in the processing pipeline does not
eliminate the consent requirement, because the initial collection involves
personal data.
4. Advertising and Tracking
Cookies
These are the most invasive category.
Advertising cookies are placed by third-party ad networks (Google Ads, Meta,
programmatic platforms) and track users across multiple websites to build
interest profiles for targeted advertising. They enable retargeting (showing
ads for products a user browsed on another site), cross-device tracking, and
audience segmentation. Under the DPDPA, advertising and tracking cookies
absolutely require explicit, informed, and granular consent. They process
personal data for a purpose entirely separate from the service the user
requested. Consent must be specific to this purpose, and the user must be able
to reject these cookies while still accessing the website.
Chapter 4: What Is Wrong with Most Cookie Banners Today
Most Indian websites currently fail to meet
DPDPA standards for cookie consent.
Common Violations
•
Implied Consent: Many websites display a banner that says
"By continuing to browse this site, you agree to our use of cookies."
This is implied consent, and it does not meet the DPDPA's requirement of free,
specific, informed, and unambiguous consent given through a clear affirmative
action.
•
No Granular
Choice: Most banners offer only an
"Accept All" or "OK" button. Users cannot choose which
categories of cookies to accept and which to reject. The DPDPA requires
purpose-specific consent, meaning users must be able to consent to necessary
cookies while rejecting analytics or advertising cookies.
•
Pre-Selected
Options: Some websites present cookie
preference panels where all categories are pre-selected (opt-out model). Under
the DPDPA, consent must be opt-in. Non-essential cookies must be deselected by
default, and the user must actively choose to enable them.
•
Dark Patterns: Websites that make the "Accept All"
button prominent and large while hiding the "Reject" or "Manage
Preferences" option in small text or behind additional clicks are using
dark patterns. The DPDPA requires that rejecting cookies be as easy as
accepting them.
•
No Withdrawal
Mechanism: Most websites
have no mechanism for users to change their cookie preferences after the
initial banner interaction. The DPDPA requires that consent withdrawal be as
easy as giving consent.
• Cookies Fired Before Consent: Many websites load analytics and advertising cookies immediately when the page loads, before the user has even seen the consent banner. Under the DPDPA, non-essential cookies must not be placed until the user has given affirmative consent.
Chapter 5: What a DPDPA-Compliant Cookie Banner Looks Like
A compliant cookie consent mechanism under the
DPDPA must meet several specific requirements. Here is what every website needs
to implement.
Clear and Prominent Notice
The cookie banner must clearly inform users that
the website uses cookies, explain what cookies are used for in plain language,
and describe the specific categories of cookies deployed. The notice must be
available in English and, where the website serves users in specific regions,
in the relevant regional languages listed in the Eighth Schedule of the
Constitution.
Granular Consent Options
Users must be presented with a clear breakdown
of cookie categories: strictly necessary (pre-enabled, not toggleable),
functional, analytics, and advertising/tracking. Each non-essential category
must be off by default (opt-in model). Users must be able to toggle each
category individually. The banner should include three action buttons:
"Accept All" (enables all categories), "Reject All"
(disables all non-essential categories), and "Save Preferences"
(applies the user's custom selection). All three buttons must be equally
prominent, with no dark patterns making one option visually dominant.
No Cookies Before Consent
Non-essential cookies must not be placed on the
user's browser until affirmative consent has been obtained. This requires
implementing a consent-first architecture where analytics scripts, advertising
pixels, and functional cookie scripts are blocked from loading until the user
makes their selection. Only strictly necessary cookies may be loaded before
consent.
Easy Withdrawal
The website must provide a persistent and easily
accessible mechanism for users to revisit and change their cookie preferences
at any time. This is typically implemented as a small floating icon (often a
cookie or shield icon) or a link in the website footer labeled "Cookie
Preferences" or "Manage Cookies." Withdrawing consent must be as
simple as giving it: the same number of clicks, the same level of visibility.
Consent Records
The Data Fiduciary must maintain records of
consent: when consent was given, what was consented to, the version of the
consent notice presented, and when consent was withdrawn. These records serve
as proof of compliance in case of a regulatory inquiry or complaint to the Data
Protection Board.
Chapter 6: Step-by-Step Compliance Checklist
Achieving cookie compliance under the DPDPA
requires a structured approach. The following checklist outlines the seven
essential steps every website must complete before May 2027.
Step 1: Audit All Cookies
Conduct a complete audit of every cookie placed
by your website. Use browser developer tools or automated scanning tools to
identify all first-party and third-party cookies, their source scripts, their
purpose, their expiration period, and whether they process personal data. This
audit must cover all pages, not just the homepage.
Step 2: Classify Cookies by Type
and Purpose
Categorize every cookie into one of the four
categories: strictly necessary, functional, analytics, or advertising/tracking.
Document the purpose of each cookie, the data it collects, the third parties it
shares data with, and its retention period. This classification forms the
foundation of your consent mechanism.
Step 3: Implement a Granular
Consent Banner
Design and deploy a cookie consent banner that
meets DPDPA requirements: clear notice, granular category-level toggles, opt-in
defaults for non-essential cookies, equally prominent Accept All/Reject
All/Save Preferences buttons, and no cookies fired before consent. Ensure the
banner appears on every page for first-time visitors and is accessible for
returning visitors to modify their preferences.
Step 4: Update Your Privacy Policy
Your privacy policy must include a detailed
cookie section that lists all cookies used, their categories, their purposes,
the third parties involved, and their retention periods. The policy must
explain how users can manage their cookie preferences, withdraw consent, and
exercise their rights under the DPDPA.
Step 5: Enable Consent Withdrawal
Implement a persistent, easily accessible
mechanism for users to change their cookie preferences after the initial
consent interaction. This can be a floating icon, a footer link, or a dedicated
cookie preferences page. When a user withdraws consent for a cookie category,
the corresponding cookies must be deleted and the associated scripts must stop
loading.
Step 6: Maintain Consent Records
Build or deploy a system that records every
consent interaction: the timestamp, the consent version, the categories
consented to, and any subsequent modifications or withdrawals. These records
are essential for demonstrating compliance during audits or regulatory
inquiries.
Step 7: Deploy Automated Cookie
Consent Management
Manual cookie management is not sustainable for
websites with dozens of cookies, frequent updates, and millions of visitors.
Automated Cookie Consent Management platforms handle the entire lifecycle:
scanning for new cookies, classifying them, presenting compliant banners,
blocking scripts before consent, recording consent, and managing withdrawals.
This is the most effective way to ensure ongoing compliance as your website
evolves.
Chapter 7: Impact on Key Industries
Cookie compliance affects every industry, but
some sectors face unique challenges due to the nature of their websites, the
volume of user traffic, and the types of cookies they deploy.
E-Commerce
E-commerce websites are among the heaviest users
of cookies. They deploy session cookies for cart management, analytics cookies
to track conversion funnels, retargeting cookies to bring back abandoned cart
users, and affiliate tracking cookies to attribute sales. Under the DPDPA, the
retargeting and advertising cookies that drive a significant portion of
e-commerce revenue will require explicit consent. Websites must ensure that
users can shop and checkout without being forced to accept non-essential cookies.
Media and Publishing
News websites, blogs, and digital publications
rely heavily on advertising revenue, which depends on tracking cookies that
build reader profiles for programmatic ad sales. The DPDPA will require these
websites to obtain consent before loading ad-tech scripts. This may reduce the
volume of targetable impressions, pushing publishers toward consent-or-pay
models or contextual advertising strategies that do not rely on personal data.
Banking and Financial Services
Banks, NBFCs, insurance companies, and fintech
platforms collect highly sensitive data through their websites. Analytics
cookies that track how users interact with loan calculators, investment pages,
or insurance quote forms can reveal financial intent and risk profile. Under
the DPDPA, these cookies require consent, and the sensitivity of the inferred
data raises the compliance stakes significantly.
Healthcare
Healthcare websites, telemedicine platforms, and
pharmacy portals process data that can reveal health conditions and treatment
interests. A user browsing pages about diabetes management or cancer treatment
creates a health-related behavioral profile through analytics cookies. Under
the DPDPA, processing this data without consent is a clear violation with
heightened risk.
Government and Public Sector
Government websites serving citizens, such as
tax portals, benefit platforms, and e-governance services, must also comply.
While some processing may fall under the State's legitimate use provision,
analytics and third-party cookies on government websites still require
compliance. The government's own data protection obligations set the standard
for the private sector.
Chapter 8: How DPDP Consultants Can Help
Cookie compliance is not a one-time fix. It is
an ongoing operational requirement that must keep pace with website changes,
new cookie deployments, and evolving regulations. DPDP Consultants provides
end-to-end cookie compliance services as part of our broader DPDPA compliance
program.
Cookie Notice Formulation
Beyond the technology, getting the cookie notice
right is a legal and communication challenge. Our Cookie Notice Formulation
consulting service helps organisations draft clear, legally compliant, and
user-friendly cookie notices that meet DPDPA requirements while maintaining
brand trust.
•
Comprehensive review of all cookies deployed on
your website and mapping each cookie to a specific, clearly stated processing
purpose that satisfies DPDPA's informed consent requirement.
•
Drafting of plain-language cookie notices that
explain what data is collected, why it is collected, who it is shared with, and
how long it is retained, written for real users rather than legal departments.
•
Purpose-specific consent language tailored to
each cookie category (functional, analytics, advertising) so that consent is
genuinely informed and granular, not bundled into a single blanket statement.
•
Alignment of cookie notices with your broader
Privacy Policy and Terms of Use to ensure consistency across all user-facing
disclosures and eliminate contradictions that regulators may flag.
•
Periodic review and update of cookie notices
whenever new cookies are added, third-party integrations change, or regulatory
guidance evolves, ensuring your notice remains accurate and compliant at all
times.
•
Regional language adaptation of cookie notices
into Hindi and other scheduled languages as required by the DPDPA, ensuring
that users across India can understand what they are consenting to.
Cookie Consent Management Tool
Our automated Cookie Consent Management platform
handles the complete cookie compliance lifecycle for your website.
•
Automated
scanning and detection of all cookies on your website, including new cookies
added by script updates or third-party integrations.
•
Automatic
classification of cookies into compliant categories with human review and
approval workflow.
•
DPDPA-compliant
consent banner with granular category-level toggles, opt-in defaults, and
equally prominent Accept/Reject/Save buttons.
•
Consent-first
architecture that blocks non-essential scripts until the user provides
affirmative consent.
•
Persistent
consent withdrawal mechanism accessible from every page.
•
Comprehensive
consent record keeping with timestamp, version, category, and modification
history for audit readiness.
•
Multi-language
support for consent banners, covering English, Hindi, and regional languages.
Broader Compliance Support
Cookie consent is one piece of the DPDPA
compliance puzzle. DPDP Consultants also provides DPDPA Gap Assessment, Privacy
Framework Implementation, DPO as a Service, and the full suite of DPDPA
Automation Tools including Data Principal Consent Management, Grievance
Redressal, DPIA, Awareness Programs, and Third-Party Assessment.
Frequently Asked Questions (FAQs)
Q: Do all cookies require consent
under the DPDPA?
A: No. Strictly necessary cookies that are
essential for the website to function (session management, security tokens,
load balancing) may be processed under the legitimate use provision without
explicit consent. All other cookies, including functional, analytics, and
advertising cookies, require informed, specific, and affirmative consent.
Q: Can I use a "cookie
wall" that blocks access unless the user accepts all cookies?
A: No. A cookie wall that forces users to accept
all cookies or leave the website does not constitute free consent under the
DPDPA. Users must be able to access the website and its core functionality even
if they reject non-essential cookies.
Q: Does Google Analytics require
consent under the DPDPA?
A: Yes. Google Analytics uses cookies that
create unique identifiers and track user behavior across sessions. This
constitutes processing of personal data under the DPDPA, requiring explicit
consent before the analytics script is loaded.
Q: What about cookies set by
third-party widgets like social media share buttons?
A: If third-party widgets (Facebook Like
buttons, Twitter embeds, YouTube video players) set cookies that track user
behavior, those cookies require consent. The website operator is responsible
for ensuring that third-party scripts do not place non-essential cookies before
the user has consented.
Q: How often should I audit my
website's cookies?
A: A comprehensive cookie audit should be
conducted at least quarterly, and immediately after any significant website
update, new feature launch, or third-party integration change. Automated cookie
scanning tools can perform continuous monitoring to catch new cookies as they
appear.
Q: What are the penalties for
non-compliant cookie practices?
A: Under the DPDPA, failure to obtain valid
consent for processing personal data can result in penalties of up to Rs 50
crore. If the non-compliant cookie practices contribute to a data breach,
penalties can reach Rs 250 crore. Beyond financial penalties, non-compliance
damages user trust and brand reputation.
Q: Is the DPDPA cookie requirement
similar to GDPR's cookie rules?
A: The principles are similar: both require
informed, specific, opt-in consent for non-essential cookies. However, the
DPDPA has its own definitions, enforcement mechanisms, and penalty structure.
Websites already compliant with GDPR cookie rules will find it easier to
achieve DPDPA compliance, but should not assume automatic compliance.
Q: Can I use a Consent Manager to
handle cookie consent?
A: Yes. The DPDPA introduces the concept of
registered Consent Managers who act as intermediaries between Data Principals
and Data Fiduciaries. Additionally, automated Cookie Consent Management
platforms (like the one offered by DPDP Consultants) provide the technical
infrastructure to implement compliant cookie banners, block scripts before
consent, and maintain consent records.
Make Your Website DPDPA-Compliant Before May 2027
The cookie consent landscape in India is about
to change permanently. Websites that continue with implied consent,
pre-selected checkboxes, and dark pattern banners will face regulatory action,
financial penalties, and loss of user trust. The time to act is now.
DPDP Consultants provides the expertise and
technology to make your website's cookie practices fully compliant with the
DPDPA. From initial cookie audits and classification to automated consent
banner deployment and ongoing monitoring, we handle every step.
Contact us today:
•
Website: www.dpdpconsultants.com
•
Email: info@dpdpconsultants.com
Your cookie banner is the first privacy interaction your
users have with your brand. Make it count.
Disclaimer: This document is prepared by DPDP Consultants for informational purposes only. It does not constitute legal advice and should not be relied upon as a substitute for professional legal counsel. The information contained herein is based on the Digital Personal Data Protection Act, 2023, and publicly available information about the DPDP Rules as of July 2026. Laws, regulations, and their interpretations may change. Readers should consult qualified legal professionals for advice specific to their circumstances. DPDP Consultants assumes no liability for any actions taken or not taken based on the contents of this document.